Deploy RC 363 to Production

app/assets/stylesheets/components/_language-picker.scss

@@ -22,11 +22,7 @@
 .language-picker__label {
   align-items: center;
   display: flex;
-  background-position: right units(1.5) center;
-  background-position-y: calc(50% + 2px);
-  padding: units(0.5);
-  padding-left: units(1);
-  padding-right: units(1);
+  padding: units(0.5) units(1);
   border-color: transparent;
 
   @include at-media-max('tablet') {

app/components/badge_component.html.erb

@@ -1,4 +1,4 @@
 <%= content_tag('div', **tag_options, class: ['lg-verification-badge', *tag_options[:class]]) do %>
-  <%= image_tag(asset_path("alerts/#{icon}.svg"), size: 16, alt: '') %>
+  <%= image_tag(asset_path("alerts/#{icon}.svg"), size: 16, alt: '', role: 'img') %>
   <%= content %>
 <% end %>

app/controllers/api/internal/two_factor_authentication/piv_cac_controller.rb

@@ -4,6 +4,7 @@ module TwoFactorAuthentication
       class PivCacController < ApplicationController
         include CsrfTokenConcern
         include ReauthenticationRequiredConcern
+        include PivCacConcern
 
         before_action :render_unauthorized, unless: :recently_authenticated_2fa?
 
@@ -38,6 +39,7 @@ def destroy
             create_user_event(:piv_cac_disabled)
             revoke_remember_device(current_user)
             deliver_push_notification
+            clear_piv_cac_information
             render json: { success: true }
           else
             render json: { success: false, error: result.first_error_message }, status: :bad_request

app/controllers/concerns/saml_idp_auth_concern.rb

@@ -129,8 +129,10 @@ def default_ial_context
     end
   end
 
-  def requested_aal_authn_context
-    saml_request.requested_aal_authn_context || default_aal_context
+  def response_authn_context
+    saml_request.requested_vtr_authn_context ||
+      saml_request.requested_aal_authn_context ||
+      default_aal_context
   end
 
   def requested_ial_authn_context
@@ -186,7 +188,7 @@ def saml_response
     encode_response(
       current_user,
       name_id_format: name_id_format,
-      authn_context_classref: requested_aal_authn_context,
+      authn_context_classref: response_authn_context,
       reference_id: active_identity.session_uuid,
       encryption: encryption_opts,
       signature: saml_response_signature_options,

app/controllers/idv/welcome_controller.rb

@@ -12,8 +12,7 @@ def show
       Funnel::DocAuth::RegisterStep.new(current_user.id, sp_session[:issuer]).
         call('welcome', :view, true)
 
-      @sp_name = decorated_sp_session.sp_name || APP_NAME
-      @title = t('doc_auth.headings.welcome', sp_name: @sp_name)
+      @presenter = Idv::WelcomePresenter.new(decorated_sp_session)
     end
 
     def update

app/controllers/saml_idp_controller.rb

@@ -137,6 +137,7 @@ def log_external_saml_auth_request
     analytics.saml_auth_request(
       requested_ial: requested_ial,
       requested_aal_authn_context: saml_request&.requested_aal_authn_context,
+      requested_vtr_authn_context: saml_request&.requested_vtr_authn_context,
       force_authn: saml_request&.force_authn?,
       final_auth_request: sp_session[:final_auth_request],
       service_provider: saml_request&.issuer,

app/controllers/users/piv_cac_authentication_setup_controller.rb

@@ -9,7 +9,6 @@ class PivCacAuthenticationSetupController < ApplicationController
 
     before_action :authenticate_user!
     before_action :confirm_user_authenticated_for_2fa_setup
-    before_action :authorize_piv_cac_disable, only: :delete
     before_action :set_piv_cac_setup_csp_form_action_uris, only: :new
     before_action :cap_piv_cac_count, only: %i[new submit_new_piv_cac]
     before_action :confirm_recently_authenticated_2fa
@@ -33,15 +32,6 @@ def error
       )
     end
 
-    def delete
-      analytics.piv_cac_disabled
-      remove_piv_cac
-      clear_piv_cac_information
-      create_user_event(:piv_cac_disabled)
-      flash[:success] = t('notices.piv_cac_disabled')
-      redirect_to account_two_factor_authentication_path
-    end
-
     def submit_new_piv_cac
       if good_nickname
         user_session[:piv_cac_nickname] = params[:name]
@@ -59,13 +49,6 @@ def track_piv_cac_setup_visit
       analytics.piv_cac_setup_visited(**analytics_properties)
     end
 
-    def remove_piv_cac
-      revoke_remember_device(current_user)
-      current_user.piv_cac_configurations.where(id: params[:id].to_i).delete_all
-      event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
-      PushNotification::HttpPush.deliver(event)
-    end
-
     def render_prompt
       @presenter = PivCacAuthenticationSetupPresenter.new(
         current_user, user_fully_authenticated?, user_piv_cac_form
@@ -126,10 +109,6 @@ def track_mfa_method_added
       Funnel::Registration::AddMfa.call(current_user.id, 'piv_cac', analytics)
     end
 
-    def piv_cac_enabled?
-      TwoFactorAuthentication::PivCacPolicy.new(current_user).enabled?
-    end
-
     def process_invalid_submission
       if user_piv_cac_form.name_taken
         flash.now[:error] = t('errors.piv_cac_setup.unique_name')
@@ -140,11 +119,6 @@ def process_invalid_submission
       end
     end
 
-    def authorize_piv_cac_disable
-      return if piv_cac_enabled? && MfaPolicy.new(current_user).multiple_factors_enabled?
-      redirect_to account_two_factor_authentication_path
-    end
-
     def good_nickname
       name = params[:name]
       name.present? && !PivCacConfiguration.exists?(user_id: current_user.id, name: name)

app/controllers/users/totp_setup_controller.rb

@@ -39,14 +39,6 @@ def confirm
       end
     end
 
-    def disable
-      if MfaPolicy.new(current_user).multiple_factors_enabled?
-        process_successful_disable
-      else
-        redirect_to account_two_factor_authentication_path
-      end
-    end
-
     private
 
     def totp_setup_form
@@ -102,21 +94,6 @@ def create_events
       Funnel::Registration::AddMfa.call(current_user.id, 'auth_app', analytics)
     end
 
-    def process_successful_disable
-      analytics.totp_user_disabled
-      create_user_event(:authenticator_disabled)
-      revoke_remember_device(current_user)
-      revoke_otp_secret_key
-      flash[:success] = t('notices.totp_disabled')
-      redirect_to account_two_factor_authentication_path
-    end
-
-    def revoke_otp_secret_key
-      Db::AuthAppConfiguration.delete(current_user, params[:id].to_i)
-      event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
-      PushNotification::HttpPush.deliver(event)
-    end
-
     def process_invalid_code
       flash[:error] = if totp_setup_form.name_taken
                         t('errors.piv_cac_setup.unique_name')

app/javascript/packages/clipboard-button/package.json

@@ -3,7 +3,7 @@
   "version": "1.0.0",
   "private": true,
   "dependencies": {
-    "@18f/identity-design-system": "^8.1.2"
+    "@18f/identity-design-system": "^9.0.0"
   },
   "sideEffects": [
     "./clipboard-button-element.ts"

app/javascript/packages/document-capture/components/acuant-capture.tsx

@@ -22,6 +22,7 @@ import AcuantCaptureCanvas from './acuant-capture-canvas';
 import AcuantContext, { AcuantCaptureMode } from '../context/acuant';
 import AnalyticsContext from '../context/analytics';
 import DeviceContext from '../context/device';
+import SelfieCaptureContext from '../context/selfie-capture';
 import FailedCaptureAttemptsContext from '../context/failed-capture-attempts';
 import FileInput from './file-input';
 import UploadContext from '../context/upload';
@@ -320,6 +321,7 @@ function AcuantCapture(
   } = useContext(AcuantContext);
   const { isMockClient } = useContext(UploadContext);
   const { trackEvent } = useContext(AnalyticsContext);
+  const { isSelfieCaptureEnabled } = useContext(SelfieCaptureContext);
   const fullScreenRef = useRef<FullScreenRefHandle>(null);
   const inputRef = useRef<HTMLInputElement>(null);
   const isForceUploading = useRef(false);
@@ -382,6 +384,7 @@ function AcuantCapture(
       ...payload,
       captureAttempts,
       acuantCaptureMode: payload.source === 'upload' ? null : acuantCaptureMode,
+      liveness_checking_required: isSelfieCaptureEnabled,
     };
     incrementCaptureAttempts();
     return enhancedPayload;
@@ -424,7 +427,11 @@ function AcuantCapture(
     return <T extends (...args: any[]) => any>(fn: T) =>
       (...args: Parameters<T>) => {
         if (!isSuppressingClickLogging.current) {
-          trackEvent(`IdV: ${name} image clicked`, { source, ...metadata });
+          trackEvent(`IdV: ${name} image clicked`, {
+            source,
+            ...metadata,
+            liveness_checking_required: isSelfieCaptureEnabled,
+          });
         }
 
         return fn(...args);
@@ -591,6 +598,7 @@ function AcuantCapture(
       size: getDecodedBase64ByteSize(nextCapture.image.data),
       fingerprint: null,
       failedImageResubmission: false,
+      liveness_checking_required: false,
     });
 
     trackEvent(
@@ -655,6 +663,7 @@ function AcuantCapture(
       field: name,
       acuantCaptureMode,
       error: getNormalizedAcuantCaptureFailureMessage(error, code),
+      liveness_checking_required: isSelfieCaptureEnabled,
     });
   }
 

app/javascript/packages/document-capture/components/barcode-attention-warning.tsx

@@ -1,9 +1,11 @@
 import { Button, StatusPage } from '@18f/identity-components';
 import { t } from '@18f/identity-i18n';
 import { trackEvent } from '@18f/identity-analytics';
+import { useContext } from 'react';
 import { removeUnloadProtection } from '@18f/identity-url';
 import type { PII } from '../services/upload';
 import DocumentCaptureTroubleshootingOptions from './document-capture-troubleshooting-options';
+import SelfieCaptureContext from '../context/selfie-capture';
 
 interface BarcodeAttentionWarningProps {
   /**
@@ -18,15 +20,20 @@ interface BarcodeAttentionWarningProps {
 }
 
 function BarcodeAttentionWarning({ onDismiss, pii }: BarcodeAttentionWarningProps) {
+  const { isSelfieCaptureEnabled } = useContext(SelfieCaptureContext);
   function skipAttention() {
-    trackEvent('IdV: barcode warning continue clicked');
+    trackEvent('IdV: barcode warning continue clicked', {
+      liveness_checking_required: isSelfieCaptureEnabled,
+    });
     removeUnloadProtection();
     const form = document.querySelector<HTMLFormElement>('.js-document-capture-form');
     form?.submit();
   }
 
   function handleDismiss() {
-    trackEvent('IdV: barcode warning retake photos clicked');
+    trackEvent('IdV: barcode warning retake photos clicked', {
+      liveness_checking_required: isSelfieCaptureEnabled,
+    });
     onDismiss();
   }
 

app/javascript/packages/document-capture/components/document-capture-warning.tsx

@@ -8,6 +8,7 @@ import DocumentCaptureTroubleshootingOptions from './document-capture-troublesho
 import UnknownError from './unknown-error';
 import { InPersonContext } from '../context';
 import AnalyticsContext from '../context/analytics';
+import SelfieCaptureContext from '../context/selfie-capture';
 
 interface DocumentCaptureWarningProps {
   isFailedDocType: boolean;
@@ -77,6 +78,7 @@ function DocumentCaptureWarning({
 }: DocumentCaptureWarningProps) {
   const { t } = useI18n();
   const { inPersonURL } = useContext(InPersonContext);
+  const { isSelfieCaptureEnabled } = useContext(SelfieCaptureContext);
   const { trackEvent } = useContext(AnalyticsContext);
 
   const nonIppOrFailedResult = !inPersonURL || isFailedResult;
@@ -109,6 +111,7 @@ function DocumentCaptureWarning({
       heading,
       subheading: subheadingText,
       error_message_displayed: errorMessageDisplayed,
+      liveness_checking_required: isSelfieCaptureEnabled,
     });
   }, []);
 

app/javascript/packages/document-capture/components/review-issues-step.tsx

@@ -6,6 +6,7 @@ import type { PII } from '../services/upload';
 import AnalyticsContext from '../context/analytics';
 import BarcodeAttentionWarning from './barcode-attention-warning';
 import FailedCaptureAttemptsContext from '../context/failed-capture-attempts';
+import SelfieCaptureContext from '../context/selfie-capture';
 import DocumentCaptureWarning from './document-capture-warning';
 import DocumentCaptureReviewIssues from './document-capture-review-issues';
 
@@ -64,6 +65,7 @@ function ReviewIssuesStep({
   failedImageFingerprints = { front: [], back: [] },
 }: ReviewIssuesStepProps) {
   const { trackEvent } = useContext(AnalyticsContext);
+  const { isSelfieCaptureEnabled } = useContext(SelfieCaptureContext);
   const [hasDismissed, setHasDismissed] = useState(remainingSubmitAttempts === Infinity);
   const { onPageTransition, changeStepCanComplete } = useContext(FormStepsContext);
   const [skipWarning, setSkipWarning] = useState(false);
@@ -100,7 +102,9 @@ function ReviewIssuesStep({
   }, []);
 
   function onWarningPageDismissed() {
-    trackEvent('IdV: Capture troubleshooting dismissed');
+    trackEvent('IdV: Capture troubleshooting dismissed', {
+      liveness_checking_required: isSelfieCaptureEnabled,
+    });
 
     setHasDismissed(true);
   }

app/javascript/packages/document-capture/context/acuant.tsx

@@ -3,6 +3,7 @@ import type { ReactNode } from 'react';
 import useObjectMemo from '@18f/identity-react-hooks/use-object-memo';
 import AnalyticsContext from './analytics';
 import DeviceContext from './device';
+import SelfieCaptureContext from './selfie-capture';
 
 /**
  * Global declarations
@@ -221,6 +222,7 @@ function AcuantContextProvider({
 }: AcuantContextProviderProps) {
   const { isMobile } = useContext(DeviceContext);
   const { trackEvent } = useContext(AnalyticsContext);
+  const { isSelfieCaptureEnabled } = useContext(SelfieCaptureContext);
   // Only mobile devices should load the Acuant SDK. Consider immediately ready otherwise.
   const [isReady, setIsReady] = useState(!isMobile);
   const [isAcuantLoaded, setIsAcuantLoaded] = useState(false);
@@ -275,6 +277,7 @@ function AcuantContextProvider({
             trackEvent('IdV: Acuant SDK loaded', {
               success: true,
               isCameraSupported: nextIsCameraSupported,
+              liveness_checking_required: isSelfieCaptureEnabled,
             });
 
             setIsCameraSupported(nextIsCameraSupported);
@@ -287,6 +290,7 @@ function AcuantContextProvider({
             success: false,
             code,
             description,
+            liveness_checking_required: isSelfieCaptureEnabled,
           });
 
           setIsError(true);

app/javascript/packs/navigation.ts

@@ -1,3 +1,3 @@
-import { header } from '@18f/identity-design-system';
+import { navigation } from '@18f/identity-design-system';
 
-header.on();
+navigation.on();